Problem Description

TYPO3’s built-in record registration functionality (aka “basic shopping cart”) using recs URL parameters is vulnerable to denial of service. Failing to properly ensure that anonymous user sessions are valid, attackers can use this vulnerability in order to create an arbitrary amount of individual session-data records in the database.

Solution

Update to TYPO3 versions 7.6.32 or 8.7.21 that fix the problem described. The frontend record registration feature has been deprecated in TYPO3 v8.6.0 and finally was removed in TYPO3 v9.0.0 - thus TYPO3 v9 is not affected.

Strong security defaults - Manual actions required

The frontend record registration feature has been disabled in order to apply strong security defaults. Installations that actually are using this functionality have to enable the feature and its vulnerability again. This can be done by enabling $GLOBALS['TYPO3_CONF_VARS']['FE']['enableRecordRegistration'] either using Install Tool or according deployment techniques.

Credits

Thanks to Mads Lønne Jensen who reported this issue and to TYPO3 core team member Benni Mack who fixed the issue.